haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Explain what sslOnlyMiddleware really does (#1262)

Browse Source 
Doc updated per
<https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security>.

I was tipped off to the discrepancy when my site worked totally fine over
http, in spite of the claim, "This middleware makes a site functionally
inaccessible over vanilla http in all standard browsers."
This commit is contained in:
Bryan Richter 2016-08-24 18:24:32 +03:00 committed by Greg Weber
parent 2ec13368f5
commit 111b017f58
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
yesod-core/Yesod/Core/Class/Yesod.hs
View File

@ -419,9 +419,9 @@ sameSiteSession s = (fmap . fmap) secureSessionCookies
-- all responses so that browsers will rewrite all http links to https -- all responses so that browsers will rewrite all http links to https
-- until the timeout expires. For security, the max-age of the STS header -- until the timeout expires. For security, the max-age of the STS header
-- should always equal or exceed the client sessions timeout. This defends -- should always equal or exceed the client sessions timeout. This defends
-- against hijacking attacks on the sessions of users who attempt to access -- against SSL-stripping man-in-the-middle attacks. It is only effective if
-- the site using an http url. This middleware makes a site functionally -- a secure connection has already been made; Strict-Transport-Security
-- inaccessible over vanilla http in all standard browsers. -- headers are ignored over HTTP.
-- --
-- Since 1.4.7 -- Since 1.4.7
sslOnlyMiddleware :: Yesod site sslOnlyMiddleware :: Yesod site